Email Retention Policy – Scope
February 26, 2010A primary communication vehicle
• An enterprise collaboration tool
• A personal filing cabinet
• An electronic record repository
• A storage glutton
• A legal and data management liability
To start with most companies make when creating an email retention policy is not involving all areas of the company in the construction/review process.
- An email retention policy is not just a legal document, it will effect employee productivity company-wide. So, the first step is to create a policy group with representatives from all major areas of the company.
- It is important that you understand how employees use the email system.
- Do they create their own personal archives?
- How often do they reference old emails?
- Understanding these things will ensure you don’t put in place procedures that will adversely affect employee productivity.
- User Email Categorization – Thinking that categorization of documents is necessary.
- Because various regulations require companies to retain certain documents for a specified number of years, many companies take this as the only way to retain documents. For example, in the Sarbanes-Oxley regulation, documents that show how a financial decision was made need to be retained for a certain amount of time.
- User error is a major problem with categorization. When users control record categorization, some documents that should be retained as business documents are not, and vice versa.
- The original reason for categorization was to avoid accumulating too many documents because that would increase physical space requirements and costs of offsite storage. Too many documents would also slow retrieval if the need arose because there would be fewer documents to have to wade through. This is based on an outdated reality. With electronic documents like email, storage space is plentiful and cheap, and with several of the email archiving and retrieval software programs on the market today, it doesn’t matter if there are terabytes of records, the search and retrieval are immediate.
- The final reason why categorization is a mistake is because there is no way to know for sure, at the time of creation of the email, that it may or may not be required during a future compliance audit or investigation. This is why it would be ideal to keep every record, instead of trying to have your staff inconsistently make guesses as to which documents should be retained and which should not.
- Action: Avoid manual and automatic categorization of documents, archive every document.
Business Goal
- Compliance should not be the business goal of a company. Business goals should be to become a better business; to reduce business risks, to improve business productivity; to improve customer service, and to ensure the company image and reputation is not damaged, etc..
- The mistake many companies make is to take the regulations literally and as complete business guidelines. They are not; they are government minimum standards. Do you want to operate your company solely according government minimum standards?
- Action: Make sure your business includes goals of achieving high ethical standards, solid operations and processes and an institutionalization of a culture of compliance from the top down. Compliance is an ongoing process that should be the by-product of these goals. If these are your business goals, then meeting compliance mandates will be easy.
Expensive
Thinking that a company needs an expensive, complex content management system to achieve email compliance.
- The truth is that it is much easier to have email be in compliance with most of the major regulations by simply archiving everything, keeping it in an easily accessible location, and being able to search by keyword, and produce requested documents in a timely fashion. All of this can be accomplished with a fairly priced email archiving solution, which can be installed in a day.
- Related to this same mistake is thinking that a backup tape system is sufficient for compliance requirements. It is not. Compliance is not about collecting data for a disaster recovery solution, it is about timely retrieval of specific data. Back up tapes will be more expensive in the long run, and are simply not a valid compliance solution.
- Action: Do the research to find reasonable priced email archiving vendors for small to medium sized companies that can implement their system in a few days. Do not rely on your tape back up system for email compliance.
- Who is in charge?
- How will you enforce this process?
Retention
Thinking that after the retention period ends, documents must be destroyed
- Regulations mandate a minimum period to keep your business documents, not a maximum period. Regulations do not compel a business to destroy their documents. Why should you keep business records longer than the retention period?
- Business documents are critical assets of the business, they hold corporate knowledge, customer histories, long term trends, and other information that can be used as a guide to the business long after an email retention period is over.
- All the ‘old’ reasons for deleting electronic documents are no longer valid, since storage costs are so low and email retrieval software is so widely available. There are more reasons than ever to keep all email records. The need for email search and retrieval will continue to increase because the quantity of email is increasing, and more information is created and stored only in email.
- Very recently, the judge in the Morgan Stanley v. Ronal Perleman case, created a precedent for requiring a company to produce records regardless of the fact that a company has a document retention policy and has already destroyed the emails in question. The net result of this case was that Morgan Stanley lost a $1.4 Billion judgment in part due to the inability to keep and retrieve their emails assets.
Action
Implement a permanent email archiving solution. I would argue that all emails should be kept forever, and I challenge why any email should ever be destroyed if we have the ability to inexpensively store it and easily access it when needed.
Once a company knows about or anticipates a lawsuit, it must implement a “litigation hold” and suspend normal procedures to preserve relevant data the court might request. Counsel should inform all employees, the IT department and the “key players” of the pending litigation as well as ensure that all relevant informati
on or sources of relevant information are discovered and preserved, and that non-privileged material is produced to the opposing party upon request. Failure to conduct an adequate search of documents before they are destroyed could constitute bad faith and warrant sanctions.
You must communicate the new policy to the employees. Employee communication and training can lower your compliance and legal liability. Ail retention policy should have the following topics:
1. Effective date
2. Last change date and changes made
3. Person or department responsible for the policy
4. Scope/coverage
5. Purpose of the policy
6. Policy statement: This can include a company philosophy statement about the business/legal/regulatory reasons for records retention
7. Definitions
8. Responsibilities
- § Procedures
9. Other retention policy guidelines
- Duplicate copies/convenience copies
- Consequences if the policy is not followed
10. Appendix A: Litigation hold/stop destruction policy including a backup procedure
www.bestitdocuments.com